#vulnerability

### Impact A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext. No concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability. ### Patches PQClean does not have a release process, as it is a collection of implementations. If you obtained a HQC implementation from PQClean, please update to a version that includes the fixes proposed in https://github.com/PQClean/PQClean/pull/578. Please also [refer to our security policy](https://github.com/PQClean/PQClean/blob/master/SECURITY.md). ### Workarounds Manually patching is always possible ### Further details In the 2023/04/30 ...

A critical flaw in the company's rate limit for failed sign-in attempts allowed unauthorized access to a user account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

### Summary An arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. ### Impact Arbitrary file read on the host

### Summary The /api/asset/upload endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored XSS (via the file write). ### Impact Arbitrary file write

### Impact [Impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) is a feature of the Kubernetes API, allowing to override user information. As downstream project, kcp inherits this feature. As per the linked documentation a specific level of privilege (usually assigned to cluster admins) is required for impersonation. The vulnerability in kcp affects kcp installations in which users are granted the `cluster-admin` ClusterRole (or comparably high permission levels that grant impersonation access; the verb in question is `impersonate`) within their respective workspaces. As kcp builds around self-service confined within workspaces, most installations would likely grant such workspace access to their users. Such users can impersonate special global administrative groups, which circumvent parts of the authorizer chains, e.g. [maximal permission policies](https://docs.kcp.io/kcp/v0.26/concepts/apis/exporting-apis/#maximal-permission-po...

File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0, which fixes the issue. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067

SUMMARY Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake,…

High-profile security incidents provide examples of how common vulnerabilities can be exploited. If you pay attention, you can learn from others' mistakes.

The ABB Cylon Aspect BMS/BAS system suffers from an unauthenticated configuration disclosure vulnerability. This can be exploited to retrieve sensitive configuration data, including file paths, environment settings, and the location of system scripts. These exposed configuration files may allow an attacker to gain insights into the system's structure, facilitating further attacks or unauthorized access.

Hackers are constantly evolving, and so too should our security protocols.